If you're using the sarge version of bind9-host, with the sarge version of libssl0.9.7, and running all this on an i686-class system, then you're looking at bug #321721. The issue is that, if a binary includes hand-written assembly, gcc will assume by default that the code requires an executable stack unless you set a .note.GNU-stack section in the assembly file which says otherwise. And the i686 version of libcrypto includes (surprise!) hand-written assembly.

This bug is already fixed for etch, both in libcrypto.so.0.9.7 and libcrypto.so.0.9.8.

I've watched with growing dismay as Debian's press officer continued to blog prognostications of doom for the future of Debian security, which have done nothing but whet the press's appetite for a story of impending disaster. I find this kind of blogging to be irresponsible in the extreme; not only does it not help fix the problems, it doesn't even help users make informed decisions because it doesn't contain salient facts.

Three security advisories had already been issued for sarge on July 1. Binaries for the arm architecture were not included, but most users were covered by the binaries that were made available.

The arm autobuilder has since caught up with those advisories, so updated advisories will probably be available soon. In addition, three more security advisories were issued for sarge on July 5 that include binaries for all architectures, and two more have been issued so far today.

Security updates for woody were not being built on ia64 and arm because no buildd was configured to do so. (These are the missing builds Joey blogged about.) Once this issue was identified, it was quickly resolved; in any case, it had no impact on the infrastructure for sarge updates.

Joey correctly identified in his blog that there was an issue with two packages (one each from woody and sarge) not being picked up for building. Once this issue was identified to the people responsible for the infrastructure, it was quickly resolved.

There was one last missing sarge build on m68k, for zlib. This was a case of the package going missing after being built; this is something that happens from time to time with the autobuilders; it doesn't point to a (fixable) software failure, the only thing to be done is to re-try the build. This was done, and the advisory was issued today as DSA 740, before the corresponding advisory from Red Hat...

Lest this be seen as a fluke instead of being representative of Debian's security support going forward, it looks like there are six more advisories in the queue for sarge and about a dozen pending for woody.

While I agree that there's a need for Debian to expand its security team, following the controversy in June we now have three security team members actively working on security (two full members and a security team secretary), which AIUI is a 50% increase over where we'd been earlier this year.

I share Joey Schulze's dissatisfaction with the state of security support for this past month, but his blog smacks of bitterness, not of measured objectivity. So here we are, five days after the first security advisories have been published for sarge, and new stories are still appearing in the press reporting that Debian is OMFG broken.

Is there any hope that the press will give the same coverage of the story that Debian's security infrastructure is not broken?

It is not a violation of your rights to free speech, free association, privacy, due process, or exercise of your religion to opine that you should commit suicide.

OTOH, it is evident that given how you choose to spend your time, your continued breathing has a chilling effect on freedom of speech and interferes with others' right to due process.

Suicide — the ethical choice.

If you are interested in adding me to the list of defendants in this case, so that I, too, may reap the windfall of your patent portfolio when you are countersued for this frivolous lawsuit, my address and location is believed to be within the State of Oregon, but is unknown at the present time.

Sincerely,
Steve Langasek

P.S. — Jeff Merkey, idiot of the year: you do not create patents, you create inventions and are issued patents for them. At least, that's the system that the federal government has set up. Come to think of it, perhaps you actually are creating patents without actual inventions; that would explain a lot about your affinity for wrongful suits, wouldn't it?

A bug has been discovered in the 3.1r0 CD/DVD images: new installs from these images will have a commented-out entry in /etc/apt/sources.list for "http://security.debian.org/ testing/updates" rather than an active entry for "http://security.debian.org/ stable/updates", and thus will not get security updates by default. This was due to incorrect Release files on the images.

If you have already installed a system using a 3.1r0 CD/DVD image, you do not need to reinstall. Instead, simply edit /etc/apt/sources.list, look for any lines mentioning security.debian.org, change "testing" to "stable", and remove "# " from the start of the line.

If you installed other than from a CD or DVD (for example, netboot, or booting from floppy and installing the base system from the network), you are not affected by this bug.

New 3.1r0a images will be available shortly to correct this flaw. We apologise for the inconvenience.

The CD team is already working on making fixed ISOs/jigdos/torrents available; unfortunately, with 11 architectures and multiple media sizes, this process takes a while, so it will probably be a day or two before the fixed 3.1r0a images are available everywhere.

Let's see how many Planet Debian posts in a row we can get about the fact that sarge is released! Yeah! ;)

I've already been personally congratulated a number of times today on the release, and I know the other members of the release team have also been congratulated. This feels awkward to me, because even though I've certainly put in long hours trying to pull this together (and hold it together), this is a community effort: the release team cannot and does not do this alone. There are many other teams involved in achieving a Debian release, and all the release schedule frustrations and eventual triumphs :) happen in a much larger context than that of "the release team".

So when congratulating the people responsible for the release of this latest iteration of Debian's high-quality, free operating system, don't forget to congratulate and thank the FTP team, for their behind-the-scenes work keeping the system running that makes development possible; the documentation team, for their fine work on the sarge installation manual and the (somewhat hurried :) release notes; the CD team and mirror team, for the long hours they put in this weekend to get our official distribution channels in shape; the installation team, for the flexible new Debian-Installer; the porters, some of whom had to fight last minute buildd outages (naturally ;) to get those last few bugs fixed; and some other teams too that aren't unimportant to the process just because I'm in too much of a daze to acknowledge them here.

And thanks to the many maintainers, bug fixers, translators and documentors who have helped to make sarge a distribution worth releasing.

Sarge is once again proof that communities can do great things — even communities of irritable, cantankerous, grudge-holding, flaming Free Software nuts. ;)

Raphaël writes that Debian's decision to hold everything in the Debian main archive to the same standard of freeness (the DFSG) was a mistake, and that it's necessary to fix this mistake with another general resolution.

While it's fine to disagree with the outcome of the previous changes, please don't start a new GR unless you think there's a real reason to believe the outcome will be different. As you can see from the tally sheet for that vote, with 396 developers voting, we had the participation of a sizable percentage of all developers (though, interestingly, less than in most DPL elections), and came nowhere near the 3:1 supermajority needed to rescind the changes. Since everyone's votes on this issue are public, it should be straightforward to canvas the developers who didn't vote or who voted against reverting the change, to get support for this change before putting everyone through the GR process again.

In contrast, I don't think public pronouncements about how bad of an idea this change was are going to get us anywhere. In fact, we've had almost a year of such public pronouncements, from various people, that haven't gotten us anywhere.

This port assignment has been in place with IANA for several years now, and actively used by Microsoft implementations since at least the release of Windows 2000. If anything, your Uni's policy change seems to come a bit late to the game. But I guess that also explains why they've done badly enough with it that they're dropping packets on the floor...

Needless to say, trying to stop people from implementing new network protocols and asking for new port assignments would be futile. ;)

Jordi expresses his concern that the American public could've voted this chucklehead in for a second four-year term. While I certainly voted for Kerry, and think that the vast majority of Bush backers should be sterilized along with their children, it's important to remember that the best that can be said about Kerry is that he's the lesser of two evils.

Kerry is a career politician, and in that sense is no better than any of the other alternatives out there. The only candidate in the Democratic party's primaries who didn't reek of politics was Kucinich, who stood a snowball's chance in hell of taking the nomination — let alone beating Bush. Voting for Kerry was very much a question of the lesser of two evils; these were votes against Bush, not votes for Kerry.

And the main point of differentiation between Bush and Kerry is that Bush has gotten us into a war we shouldn't be in; on many other issues, as people have pointed out, Kerry is likely to be worse than Bush, not better. When so many Americans — including my father — still buy the administration's line that this war was necessary, getting a sufficient majority of Americans to understand the war was wrong to the point of actually voting the slime out of office is quite a challenge — and one we failed at in the 2004 elections.

The bright side in all of this is that four more years of Bushocracy may be just the wake-up call the American public needs in order to advance some real reform in 2008. Assuming that Bush doesn't attempt to declare martial law at the end of 2008 and try to make himself dictator for life, that is. :P

As long as the US is beholden to a self-sustaining, two-party political system that no one believes can be changed, real reform is impossible. The dollar signs behind Kerry are the same as the ones behind Bush. It doesn't surprise me at all that Nader stayed in the race, in spite of the possibility that his candidacy could negatively affect Kerry.

One tantalizing suggestion from an NPR commentator, though, was that the 2008 elections would be the year we could see a genuine Internet candidate emerge courtesy of the blogosphere. So, who wants to make the first nomination?